We are facing an issue w.r.t to the SSL Certificates.
We have 3 hosts on which SSL Certificates have been applied.
Web (IIS 8), Mobile (IIS 8), PingFederate
The SSL is working fine in case of Web.
Web Workflow:
Web(https) > PingFederate(https) > ADFS(https)
After the request gets successfully authenticated by ADFS, our request takes the following route:
ADFS(https) > PingFederate(https) > Web(https).
In case of Mobile, we are getting an error at the following stage:
Mobile(https) > PingFederate(https) > ADFS(https)
After the request gets successfully authenticated by ADFS, our request takes the following route:
ADFS(https) > PingFederate (https)
As soon as the request gets out of ADFS, the following error message is displayed:
The certificate for this server is invalid. You might be connecting to a server that is pretending to be https://pingfederate.com which could put your confidential information at risk
When we try to access the Mobile Server via Internet Explorer from our laptop, following error message is displayed:
This organization's certificate has been revoked.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We are trying to understand if there are Certificate Issues with PingFederate(https), then we should be getting these issues while going from Web(https) > PingFederate(https) > ADFS(https) and also while going from Mobile(https) > PingFederate(https) > ADFS(https).
But we are getting certificate issues only while return from ADFS(https) > PingFederate (https) and that too in case of mobile server only.
Can anyone please suggest what we should do.
Thank You
Related
I created a message flow having rest request node to connect to an API. API security enabled received the following error:
BIP3165S: An error occurred whilst performing an SSL socket operation.
Operation: connect. Error Text: javax.net.ssl.SSLHandshakeException:
com.ibm.jsse2.util.j: PKIX path building failed:
com.ibm.security.cert.IBMCertPathBuilderException: unable to find
valid certification path to requested target.
How do I solve this issue in my message flow?
I disabled SSL but still received the same error.
What is the SSL client and server endpoints? Assuming this connection is:
WAS (server) <------SSL------> API (Client)
In one-way SSL, the solution is to add the root or intermediate certificate (from the WAS server's chain) to the client's trust store.
"PKIX path building failed" usually indicates that the SSL client was unable to authenticate the SSL server (remote host). To authenticate the server, the client needs to have the server's root or intermediate certificate in its trust store.
If this is happening with traditional WebSphere as the client, we can try to add the signer certificate with retrieve from port.
If mutual authentication is enabled, the issue can be with the server being unable to authenticate the client.
Either way, an SSL exception should not occur with SSL disabled. Maybe the server wasn't re-started after disabling SSL? Maybe SSL wasn't disabled correctly (on both endpoints)? Maybe the API was still trying to use HTTPS with SSL disabled?
I put my site behind Cloudflare last week and it has been working well. But today I woke up to an error message that my site is not accessible.
I am getting generic nginx 403 page when I am trying to access my site (same as https://community.cloudflare.com/t/why-403-forbidden-all-of-a-sudden-when-i-go-to-my-site/3453), along with 'not secure' warning in Chrome address bar.
When I disable CDN as shown in the picture, the error disappears.
I am using an SSL cert issued by Letsencrypt in my server and a Full SSL in Cloudflare. I can confirm that Letsencrypt cert has not been expired.
Any ideas how to debug this issue? I am confused as to why it was working and suddenly stopped working when nothing changed.
Additional information
When I enable the CDN, I get the following error(ERR_CERT_COMMON_NAME_INVALID) in Chrome's security tab:
The error I get when I curl the https version of the site is:
curl: (51) SSL: no alternative certificate subject name matches target host name 'my-domain.com'
I have just recently installed fiddler, to watch calls made to my web API project from an office web App. These calls are sent over SSL so I enabled fiddler to decrypt HTTPS traffic. Installed the fiddler root certificate into my Firefox browser following these steps:
http://www.telerik.com/blogs/configuring-firefox-for-fiddler
When connecting to any HTTPS site with fiddler running I receive this error.
HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 10:06:51.230
Connection: close
fiddler.network.https> HTTPS handshake to mail.ionstaging.com (for #7) failed.
System.Security.Cryptography.CryptographicException Unspecified error
When I used set doc=db.GetDocumentByURL(url,1,1,,,,,False) to get a page/file under http, it returned the web page/file successfully as a Notes document.
But when I used set doc=db.GetDocumentByURL(url,1,1,username,password,,,False) to get an ssl page/file under https, where url is like "https://docs.google.com/document/d/xxxxoooo/edit", it failed and the remote console showed the error messages:
SSL Error: Keyring File access error
Connection interrupted: SSL Error: Bad or missing remote certificate
Can't db.GetDocumentByURL() access an ssl page/file? What should I do?
Assuming you are using Windows - make sure that IE can open the page. I've seen this problem in case the server's SSL certificate was self-signed and installing it in IE solved the problem.
I have installed a renewed SSL certificate on my web server running IIS7.
After installation, I applied website binding to port 443.
My application uses client certificates too, so I have changed the SSL setting to Require 'client certificate'.
Both client and SSL server certificates are valid but still I am not able to access my application. The error I get is:
403 - Forbidden: Access is denied.
I have enabled client certificate mapping in IIS role settings also but still not getting rid of this 403 error.
I guess client certificate is not able to handshake with server certificate. Please help!
In certificate Store verified all server certificate and client cert with its authority hierarchy are available.
also cross check below settings
Application Authentication: Anonymous
Application SSL Setting: Require SSL/ Accept
ApplicationHost.config: enabled OnetoOneMapping under iisClientCertificateMappingAuthentication also added base64 certificate mapped with service accounts
Also based on my past experience we need to ensure we have SChannel registry setting as mentioned in below post.
https://support.microsoft.com/en-us/kb/2464556
Simplest workaround just discovered this today. In IIS for your application, Go to Edit Bindings and change your port number. 443 to 4431 or 44301. Any variation you want. In your client computer, type in the new URL using new port number and you will establish a fresh connection to application. Make sure you SSL Settings for IIS Application is set to "Accept" instead of "Require". This means you can click "Cancel" when the pop up asks you to select a certificate you can simply hit "Cancel" and still hit the site. No 403 Error.
Do not spend hours trying to mess with your certificate store, just simply change the port on IIS Server and you'll be fine.